Downloads mistakenly denied

Dear all,

We'rve been using  Forefront TMG for a few months in single NIC configuration.  for most websites, we deny  download of certain types of content. But we would like to allow everything for  a limited numbers of website, like Intranet websites. No restriction is applied except for the destination.. It's open to all users, all content types, all protocolsThis rules is called:

Anonymous access

So we created a rule allowing everything for those  Domain and URLs sets for which we want to allow  users to download. the rules comes is at  the top of the "Web Access policy Group" list.


And down the list you can find the rule that denies download for every other websites except the Domain and URLs sets for which we allow downloads specified "Anonymous Access" rule above. This denying rules is called

HTTP Downloads Forbidden

Rule settings:
Users: Domain Users.Exceptions: Admins and Helpdesk
From: Internal and local host
To:Internal and local host: Exceptions: Domain, Network and URLs sets specified in the "Anonymous Access rule"


Administrators and Helpdesk have no problem. But  domain users when trying to download from URL's contained in  the "Anonymous access" rule, they still get blocked by the "HTTP Downloads Forbidden" rule.

Any idea?

Thanks everyone!

Mart
MartCarAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rafter81Commented:
The domains and/or urls are not being actioned correctly.  I've found in the past that this can be for various reasons.  It can be that the domain or url the site initially goes to then goes to another site.  It can simply be that its the IP address that is recognised instead of the url or domain.  I've found that domains and url rules are unreliable.

Have you tried looking up a particular site you want to give access to, find it's IP address and give access that way in the "anonymous rule"..  Adding it as a computer or computer set, or subnet if relevent.

Its worth trying out IP addresses - it will confirm if the 1st rule is actually working correctly as its not using this rule it is going through to the deny rule which domain users are denied.  That would be why its working ok for your admins as they are exceptions..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.